Steviebone
-
Content Count
31 -
Joined
-
Last visited
Content Type
Profiles
Forums
Calendar
Posts posted by Steviebone
-
-
ran rustockbfix exe then got this:
Rustock.b-ADS attached to the System32-folder:
Attempting to remove ADS...
Looking for Rustock.b-files in the System32-folder:
ECHO is off.
******************* Post-run Status of system *******************
Rustock.b-driver on the system:
YOU NEED TO CONSULT MORE ADVANCED TOOLS!!
The Gmer-rootkitscanner may be a good place to start.
Gmer rootkit-scanner may be found here: http://www.gmer.net
Rustock.b-ADS attached to the System32-folder:
ECHO is off.
You should either run the tool again or consult more advanced tools
The Gmer-rootkitscanner may be a good place to start.
Gmer rootkit-scanner may be found here: http://www.gmer.net
Looking for Rustock.b-files in the System32-folder:
ECHO is off.
You should either run the tool again or consult more advanced tools
Swandog46's Avenger or Gmer's-rootkitscanner may be a good place to start.
Swandog46's Avenger may be found here: http://swandog46.geekstogo.com/avengernotes.htm
Gmer rootkit-scanner may be found here: http://www.gmer.net
******************************* End of Logfile ********************************
-
ok, still got a rootkit and the windows installer is still persisting... how can I stop this from running, where in the registry would this be found and how do I stop it from repeatedlt reopening?
"Staypuffer" - 2007-05-20 14:18:51 Service Pack 2
ComboFix 07-05.20.9.V - Running from: "J:\Spywaredetector\"
Rootkit driver lzx32 is present. A rootkit scan is required
((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-20 ))))))))))))))))))))))))))))))))))
2007-05-20 14:04 49,152 --a------ C:\XP\nircmd.exe
2007-05-20 06:42 2,922 --a------ C:\XP\system32\IE_Backup.reg
2007-05-20 06:42 2,846,854 --a------ C:\XP\system32\Windows_Backup.reg
2007-05-20 06:42 2,588 --a------ C:\XP\system32\startupBackup.reg
2007-05-20 02:27 123 --a------ C:\XP\system\SysSD.dll
2007-05-20 02:26 63,192 --a------ C:\XP\system32\CloseAll.exe
2007-05-20 02:26 270,336 --a------ C:\XP\system32\CheckDll.dll
2007-05-20 02:26 1,019,904 --a------ C:\XP\system32\VchReg.dll
2007-05-20 02:25 <DIR> d-------- C:\Program Files\SpywareDetector
2007-05-19 18:15 22,080 --a------ C:\XP\system32\drivers\sshrmd.sys
2007-05-19 18:15 21,056 --a------ C:\XP\system32\drivers\sskbfd.sys
2007-05-19 18:15 20,544 --a------ C:\XP\system32\drivers\SSFS0509.sys
2007-05-19 18:15 144,960 --a------ C:\XP\system32\drivers\ssidrv.sys
2007-05-19 18:15 <DIR> d-------- C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\Webroot
2007-05-19 18:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.XP\APPLIC~1\Webroot
2007-05-19 18:08 164 --a------ C:\install.dat
2007-05-19 18:08 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Webroot
2007-05-18 11:43 <DIR> d--h----- C:\XP\system32\GroupPolicy
2007-05-17 22:04 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Texture Maker
2007-05-17 22:03 <DIR> d-------- C:\Program Files\Texture Maker
2007-05-17 17:39 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Google
2007-05-15 13:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.XP\APPLIC~1\Spybot - Search & Destroy
2007-05-08 01:29 <DIR> d-------- C:\Program Files\Network Chemistry
2007-05-08 01:17 <DIR> d-------- C:\Program Files\WinPcap
2007-05-08 01:17 <DIR> d-------- C:\Program Files\Nmap
2007-04-26 18:37 298,496 --a------ C:\XP\uninst.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-17 22:39:02 -------- d-----w C:\Program Files\Google
2007-05-16 04:57:49 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\WeatherBug
2007-05-15 21:02:01 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\dvdcss
2007-05-15 18:38:06 -------- d-----w C:\Program Files\MySpace
2007-05-07 17:28:32 -------- d-----w C:\Program Files\EPSON Print CD
2007-05-07 13:39:36 298,104 ----a-w C:\XP\system32\imon.dll
2007-05-07 13:39:34 512,096 ----a-w C:\XP\system32\drivers\amon.sys
2007-05-07 13:39:33 15,424 ----a-w C:\XP\system32\drivers\nod32drv.sys
2007-05-03 05:49:55 -------- d-----w C:\Program Files\LeapFTP
2007-04-30 15:46:10 745,600 ----a-w C:\XP\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\XP\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\XP\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\XP\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\XP\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\XP\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\XP\system32\AVASTSS.scr
2007-04-30 08:55:32 -------- d-----w C:\Program Files\ViceVersa Pro 2
2007-04-26 23:09:43 -------- d-----w C:\Program Files\IsoBuster
2007-04-25 08:04:12 88,952 ----a-w C:\XP\system32\packet.dll
2007-04-25 08:04:12 68,480 ----a-w C:\XP\system32\wanpacket.dll
2007-04-25 08:04:12 42,000 ----a-w C:\XP\system32\drivers\npf.sys
2007-04-25 08:04:12 240,496 ----a-w C:\XP\system32\wpcap.dll
2007-04-21 03:30:35 -------- d-----w C:\Program Files\Speed Startup
2007-04-20 03:28:54 1,040,384 ----a-w C:\XP\system32\libeay32.dll
2007-04-20 03:27:57 196,608 ----a-w C:\XP\system32\ssleay32.dll
2007-04-16 06:45:33 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\MySpace
2007-04-09 04:37:55 -------- d-----w C:\Program Files\SlySoft
2007-04-09 03:42:45 29,392 ----a-w C:\XP\system32\drivers\secdrv.sys
2007-04-08 22:59:29 -------- d-----w C:\Program Files\PowerISO
2007-04-06 21:14:04 542 ----a-w C:\hrlist.scr
2007-04-06 20:32:08 371 ----a-w C:\getbilldirs.scr
2007-04-06 20:31:54 371 ----a-w C:\gethbdirs.scr
2007-04-06 20:28:28 139 ----a-w C:\tryftp.scr
2007-04-06 05:46:37 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\Zeon
2007-04-06 05:02:00 -------- d-----w C:\Program Files\G-Lock Software
2007-04-05 15:31:07 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\G-Lock Software
2007-04-04 10:33:04 -------- d-----w C:\Program Files\Yahoo!
2007-03-18 17:28:30 5,885 ----a-w C:\XP\mozver.dat
2007-03-17 13:43:01 292,864 ----a-w C:\XP\system32\winsrv.dll
2007-03-15 19:35:33 -------- d-----w C:\Program Files\Tracker
2007-03-15 10:52:51 -------- d-----w C:\Program Files\Registry Watch
2007-03-15 10:14:59 720,896 ----a-w C:\XP\iun6002ev.exe
2007-03-15 04:18:10 -------- d-----w C:\Program Files\Salive
2007-03-15 04:17:28 -------- d--h--r C:\DOCUME~1\STAYPU~1\APPLIC~1\yahoo!
2007-03-08 15:36:28 577,536 ----a-w C:\XP\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\XP\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\XP\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\XP\system32\win32k.sys
2007-03-08 04:59:59 -------- d-----w C:\Program Files\DirPrn
2007-03-07 09:16:28 -------- d-----w C:\Program Files\'Net Monitor
2007-03-07 09:13:15 -------- d-----w C:\Program Files\PTZone
2007-03-07 09:10:26 -------- d-----w C:\Program Files\WinWatch
2007-03-07 09:10:21 249,856 ------w C:\XP\Setup1.exe
2007-03-07 09:10:09 -------- d-----w C:\Program Files\LanMon
2007-03-07 09:09:11 73,216 ------w C:\XP\ST6UNST.EXE
2007-02-28 08:59:01 26,000 ----a-w C:\XP\system32\E3TL.DLL
2007-02-05 20:17:02 185,344 ----a-w C:\XP\system32\upnphost.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2004-05-12 01:03]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]
{AE7CD045-E861-484f-8273-0445EE161910}=D:\Acrobat7\Acrobat\AcroIEFavClient.dll [2005-09-24 00:41]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedStartup"="C:\Program Files\Speed Startup\speedstartup.exe" [2006-12-14 17:12]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpeedStartup"=C:\Program Files\Speed Startup\speedstartup.exe runonce
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="D:\Internet\eudora\EuShlExt.dll" [2005-11-14 16:15]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 relog_ap
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
Contents of the 'Scheduled Tasks' folder
2007-05-20 06:01:04 C:\XP\tasks\_viceversapr2_task_Ascend.job
2007-05-20 11:19:10 C:\XP\tasks\_viceversapr2_task_Bashful2Booby.job
2007-05-20 11:30:08 C:\XP\tasks\_viceversapr2_task_batch.job
2007-05-20 19:30:03 C:\XP\tasks\_viceversapr2_task_Bills.job
2007-03-26 09:40:18 C:\XP\tasks\_viceversapr2_task_documents_and_settings.job
2007-05-20 11:20:37 C:\XP\tasks\_viceversapr2_task_Eudora.job
2007-05-20 19:00:31 C:\XP\tasks\_viceversapr2_task_hits prg to Tweetie D.job
2007-05-20 06:20:36 C:\XP\tasks\_viceversapr2_task_HITSSOURCES.job
2007-05-20 14:00:31 C:\XP\tasks\_viceversapr2_task_HITSVEN.job
2007-05-20 13:18:16 C:\XP\tasks\_viceversapr2_task_Idisk.job
2007-05-20 13:00:22 C:\XP\tasks\_viceversapr2_task_Links.job
2007-03-26 09:33:37 C:\XP\tasks\_viceversapr2_task_madden.job
2007-05-20 08:50:46 C:\XP\tasks\_viceversapr2_task_newag.job
2007-05-20 10:32:16 C:\XP\tasks\_viceversapr2_task_OHITS.job
2007-05-20 11:34:08 C:\XP\tasks\_viceversapr2_task_personal.job
2007-05-20 14:00:39 C:\XP\tasks\_viceversapr2_task_ServersAlive.job
2007-05-20 11:45:13 C:\XP\tasks\_viceversapr2_task_Steviebone.job
2007-03-26 11:38:02 C:\XP\tasks\_viceversapr2_task_Torrents.job
2007-05-20 18:45:01 C:\XP\tasks\_viceversapr2_task_txdot.job
2007-05-20 11:20:07 C:\XP\tasks\_viceversapr2_task_visaversaprofiles.job
********************************************************************
catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-20 14:31:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
********************************************************************
Completion time: 2007-05-20 14:38:44 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-20 14:38
C:\ComboFix2.txt ... 2007-05-20 14:04
--- E O F ---
-
ok, combo found a rootkit as I half expected... below is the log after 3 reboots...
unfortunately, on every reboot I have an MSI for Visual Foxpro trying to run now... I assume this may be the originally infected file trying to reload... on each reboot, before anything else (even speed startup) starts running, I get repeated message dialogs saying Windows Installer is preparing install for VFP9. I keep hitting cancel as quickly as possible but the window pops right back up... takes about 8 or 10 cancels to make it stay away... I fear this program will not give up perhaps until it has reinfected the machine... task manager is still going nuts showing constant activity 2-22% with never a pause... syslog is not showing any outbound traffic however so we're probably headed in the right direction....
I'm going to run combofix a second time and see if the installer has indeed reinfected the machine...
"Staypuffer" - 2007-05-20 10:29:12 Service Pack 2
ComboFix 07-05.20.9.V - Running from: "J:\Spywaredetector\"
Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
ADS removed - system32: deleted 79094 bytes in 1 streams.
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\STAYPU~1\Desktop.\internet explorer.lnk
C:\Program Files\install.log
((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-20 ))))))))))))))))))))))))))))))))))
2007-05-20 06:42 2,922 --a------ C:\XP\system32\IE_Backup.reg
2007-05-20 06:42 2,846,854 --a------ C:\XP\system32\Windows_Backup.reg
2007-05-20 06:42 2,588 --a------ C:\XP\system32\startupBackup.reg
2007-05-20 02:27 123 --a------ C:\XP\system\SysSD.dll
2007-05-20 02:26 63,192 --a------ C:\XP\system32\CloseAll.exe
2007-05-20 02:26 270,336 --a------ C:\XP\system32\CheckDll.dll
2007-05-20 02:26 1,019,904 --a------ C:\XP\system32\VchReg.dll
2007-05-20 02:25 <DIR> d-------- C:\Program Files\SpywareDetector
2007-05-19 18:15 22,080 --a------ C:\XP\system32\drivers\sshrmd.sys
2007-05-19 18:15 21,056 --a------ C:\XP\system32\drivers\sskbfd.sys
2007-05-19 18:15 20,544 --a------ C:\XP\system32\drivers\SSFS0509.sys
2007-05-19 18:15 144,960 --a------ C:\XP\system32\drivers\ssidrv.sys
2007-05-19 18:15 <DIR> d-------- C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\Webroot
2007-05-19 18:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.XP\APPLIC~1\Webroot
2007-05-19 18:08 164 --a------ C:\install.dat
2007-05-19 18:08 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Webroot
2007-05-18 11:43 <DIR> d--h----- C:\XP\system32\GroupPolicy
2007-05-17 22:04 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Texture Maker
2007-05-17 22:03 <DIR> d-------- C:\Program Files\Texture Maker
2007-05-17 17:39 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Google
2007-05-15 13:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.XP\APPLIC~1\Spybot - Search & Destroy
2007-05-08 01:29 <DIR> d-------- C:\Program Files\Network Chemistry
2007-05-08 01:17 <DIR> d-------- C:\Program Files\WinPcap
2007-05-08 01:17 <DIR> d-------- C:\Program Files\Nmap
2007-04-26 18:37 298,496 --a------ C:\XP\uninst.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-17 22:39:02 -------- d-----w C:\Program Files\Google
2007-05-16 04:57:49 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\WeatherBug
2007-05-15 21:02:01 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\dvdcss
2007-05-15 18:38:06 -------- d-----w C:\Program Files\MySpace
2007-05-07 17:28:32 -------- d-----w C:\Program Files\EPSON Print CD
2007-05-07 13:39:36 298,104 ----a-w C:\XP\system32\imon.dll
2007-05-07 13:39:34 512,096 ----a-w C:\XP\system32\drivers\amon.sys
2007-05-07 13:39:33 15,424 ----a-w C:\XP\system32\drivers\nod32drv.sys
2007-05-03 05:49:55 -------- d-----w C:\Program Files\LeapFTP
2007-04-30 15:46:10 745,600 ----a-w C:\XP\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\XP\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\XP\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\XP\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\XP\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\XP\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\XP\system32\AVASTSS.scr
2007-04-30 08:55:32 -------- d-----w C:\Program Files\ViceVersa Pro 2
2007-04-26 23:09:43 -------- d-----w C:\Program Files\IsoBuster
2007-04-25 08:04:12 88,952 ----a-w C:\XP\system32\packet.dll
2007-04-25 08:04:12 68,480 ----a-w C:\XP\system32\wanpacket.dll
2007-04-25 08:04:12 42,000 ----a-w C:\XP\system32\drivers\npf.sys
2007-04-25 08:04:12 240,496 ----a-w C:\XP\system32\wpcap.dll
2007-04-21 03:30:35 -------- d-----w C:\Program Files\Speed Startup
2007-04-20 03:28:54 1,040,384 ----a-w C:\XP\system32\libeay32.dll
2007-04-20 03:27:57 196,608 ----a-w C:\XP\system32\ssleay32.dll
2007-04-16 06:45:33 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\MySpace
2007-04-09 04:37:55 -------- d-----w C:\Program Files\SlySoft
2007-04-09 03:42:45 29,392 ----a-w C:\XP\system32\drivers\secdrv.sys
2007-04-08 22:59:29 -------- d-----w C:\Program Files\PowerISO
2007-04-06 21:14:04 542 ----a-w C:\hrlist.scr
2007-04-06 20:32:08 371 ----a-w C:\getbilldirs.scr
2007-04-06 20:31:54 371 ----a-w C:\gethbdirs.scr
2007-04-06 20:28:28 139 ----a-w C:\tryftp.scr
2007-04-06 05:46:37 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\Zeon
2007-04-06 05:02:00 -------- d-----w C:\Program Files\G-Lock Software
2007-04-05 15:31:07 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\G-Lock Software
2007-04-04 10:33:04 -------- d-----w C:\Program Files\Yahoo!
2007-03-18 17:28:30 5,885 ----a-w C:\XP\mozver.dat
2007-03-17 13:43:01 292,864 ----a-w C:\XP\system32\winsrv.dll
2007-03-15 19:35:33 -------- d-----w C:\Program Files\Tracker
2007-03-15 10:52:51 -------- d-----w C:\Program Files\Registry Watch
2007-03-15 10:14:59 720,896 ----a-w C:\XP\iun6002ev.exe
2007-03-15 04:18:10 -------- d-----w C:\Program Files\Salive
2007-03-15 04:17:28 -------- d--h--r C:\DOCUME~1\STAYPU~1\APPLIC~1\yahoo!
2007-03-08 15:36:28 577,536 ----a-w C:\XP\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\XP\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\XP\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\XP\system32\win32k.sys
2007-03-08 04:59:59 -------- d-----w C:\Program Files\DirPrn
2007-03-07 09:16:28 -------- d-----w C:\Program Files\'Net Monitor
2007-03-07 09:13:15 -------- d-----w C:\Program Files\PTZone
2007-03-07 09:10:26 -------- d-----w C:\Program Files\WinWatch
2007-03-07 09:10:21 249,856 ------w C:\XP\Setup1.exe
2007-03-07 09:10:09 -------- d-----w C:\Program Files\LanMon
2007-03-07 09:09:11 73,216 ------w C:\XP\ST6UNST.EXE
2007-02-28 08:59:01 26,000 ----a-w C:\XP\system32\E3TL.DLL
2007-02-05 20:17:02 185,344 ----a-w C:\XP\system32\upnphost.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2004-05-12 01:03]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]
{AE7CD045-E861-484f-8273-0445EE161910}=D:\Acrobat7\Acrobat\AcroIEFavClient.dll [2005-09-24 00:41]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedStartup"="C:\Program Files\Speed Startup\speedstartup.exe" [2006-12-14 17:12]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpeedStartup"=C:\Program Files\Speed Startup\speedstartup.exe runonce
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="D:\Internet\eudora\EuShlExt.dll" [2005-11-14 16:15]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 relog_ap
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
Contents of the 'Scheduled Tasks' folder
2007-05-20 06:01:04 C:\XP\tasks\_viceversapr2_task_Ascend.job
2007-05-20 11:19:10 C:\XP\tasks\_viceversapr2_task_Bashful2Booby.job
2007-05-20 11:30:08 C:\XP\tasks\_viceversapr2_task_batch.job
2007-05-20 18:01:35 C:\XP\tasks\_viceversapr2_task_Bills.job
2007-03-26 09:40:18 C:\XP\tasks\_viceversapr2_task_documents_and_settings.job
2007-05-20 11:20:37 C:\XP\tasks\_viceversapr2_task_Eudora.job
2007-05-20 18:01:25 C:\XP\tasks\_viceversapr2_task_hits prg to Tweetie D.job
2007-05-20 06:20:36 C:\XP\tasks\_viceversapr2_task_HITSSOURCES.job
2007-05-20 14:00:31 C:\XP\tasks\_viceversapr2_task_HITSVEN.job
2007-05-20 13:18:16 C:\XP\tasks\_viceversapr2_task_Idisk.job
2007-05-20 13:00:22 C:\XP\tasks\_viceversapr2_task_Links.job
2007-03-26 09:33:37 C:\XP\tasks\_viceversapr2_task_madden.job
2007-05-20 08:50:46 C:\XP\tasks\_viceversapr2_task_newag.job
2007-05-20 10:32:16 C:\XP\tasks\_viceversapr2_task_OHITS.job
2007-05-20 11:34:08 C:\XP\tasks\_viceversapr2_task_personal.job
2007-05-20 14:00:39 C:\XP\tasks\_viceversapr2_task_ServersAlive.job
2007-05-20 11:45:13 C:\XP\tasks\_viceversapr2_task_Steviebone.job
2007-03-26 11:38:02 C:\XP\tasks\_viceversapr2_task_Torrents.job
2007-05-20 18:45:01 C:\XP\tasks\_viceversapr2_task_txdot.job
2007-05-20 11:20:07 C:\XP\tasks\_viceversapr2_task_visaversaprofiles.job
********************************************************************
catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-20 13:54:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
********************************************************************
Completion time: 2007-05-20 14:04:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-20 14:04
--- E O F ---
-
Here is an updated log after running spydetector:
C:\XP\System32\smss.exe
C:\XP\system32\winlogon.exe
C:\XP\system32\services.exe
C:\XP\system32\lsass.exe
C:\XP\system32\svchost.exe
C:\XP\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\XP\system32\spoolsv.exe
C:\Program Files\Acronis\BackupServer\backupserver.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Eset\nod32krn.exe
C:\XP\system32\nvsvc32.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\XP\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\XP\Explorer.EXE
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PTSync\PTSync.exe
C:\Program Files\Acronis\TrueImageEnterpriseServer\TRUEIM~3.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageEnterpriseServer\TIMOUN~1.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\XP\system32\taskmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.americansingles.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Acrobat7\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Acrobat7\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Cooxie - {DC99E960-6594-45e3-9D5D-141D825B8096} - C:\Program Files\Cooxie Toolbar\PrvcBand.dll
O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [sDAutoLiveupdate] "C:\Program Files\SpywareDetector\LiveUpdateSD.exe" -AUTO
O4 - HKLM\..\Run: [systemTraySD] "C:\Program Files\SpywareDetector\SDSystemTray.exe" -AUTO
O4 - HKLM\..\RunOnce: [speedStartup] "C:\Program Files\Speed Startup\speedstartup.exe" runonce
O4 - HKCU\..\Run: [speedStartup] "C:\Program Files\Speed Startup\speedstartup.exe" bootup
O8 - Extra context menu item: Add to &Teleport - D:\TeleportUltra\teleport.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MsOffice\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://D:\OmniPage15\PDFConverter3\IEShellExt.dll /100
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MsOffice\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145986548799
O17 - HKLM\System\CCS\Services\Tcpip\..\{90F742E6-14BD-42BD-B353-7487933899E6}: NameServer = 66.254.6.2,66.254.1.2
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\XP\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\XP\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Backup Server Service (AcronisBackupServerService) - Acronis - C:\Program Files\Acronis\BackupServer\backupserver.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Arcana Notification Agent (adnotify) - Unknown owner - C:\Program Files\Arcana Development\Notification Agent\ADNotify.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Arcana Scheduler - Arcana Development - C:\Program Files\Arcana Development\Arcana Scheduler\adscheduler.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Acronis Group Server (GroupServer) - Acronis - C:\Program Files\Acronis\GroupServer\GroupServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\XP\system32\drivers\KodakCCS.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\XP\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\XP\system32\oodag.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Note: although the rogue traffic on syslog has ceased for the moment, there were still out bounds detected during bootup going to unknown domains and task manager still shows continuous memory and resource useage with spikes to 100%.
-
Below is a hijack this log... the computer in question has been scanned by SpyBOT S&D, Spy Sweeper, Avast Pro (boot time) and NOD32. Whenever the computer starts up, even before log in syslog shows continuous various outbound traffic to rogue destination ip adresses. The traffic is continuous and eats up anywhere from 4 to 85% of the CPU power according to task manager. The only thing showing consumption in task manager however is System Idle Process. At semi periodic intervals I get errors in services.exe result code 0 and a forced NT Authority Shutdown/Reboot.
As there are over 70 programs installed on this workstation I would prefer NOT to have to rebuild from scratch. BTW, Acronis has been used to regulalry back up the OS daily but whatever it is is now embedded in all 7 OS backups.
Here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 2:02:22 AM, on 5/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\XP\System32\smss.exe
C:\XP\system32\winlogon.exe
C:\XP\system32\services.exe
C:\XP\system32\lsass.exe
C:\XP\system32\svchost.exe
C:\XP\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\XP\system32\spoolsv.exe
C:\Program Files\Acronis\BackupServer\backupserver.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Eset\nod32krn.exe
C:\XP\system32\nvsvc32.exe
C:\XP\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\XP\Explorer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PTSync\PTSync.exe
C:\Program Files\Acronis\TrueImageEnterpriseServer\TRUEIM~3.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageEnterpriseServer\TIMOUN~1.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\XP\system32\NOTEPAD.EXE
C:\XP\system32\NOTEPAD.EXE
C:\XP\system32\vsjitdebugger.exe
C:\XP\system32\vsjitdebugger.exe
C:\XP\system32\taskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.americansingles.com/
F2 - REG:system.ini: Shell=C:\XP\Explorer.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Acrobat7\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Acrobat7\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Cooxie - {DC99E960-6594-45e3-9D5D-141D825B8096} - C:\Program Files\Cooxie Toolbar\PrvcBand.dll
O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\RunOnce: [speedStartup] "C:\Program Files\Speed Startup\speedstartup.exe" runonce
O4 - HKCU\..\Run: [speedStartup] "C:\Program Files\Speed Startup\speedstartup.exe" bootup
O8 - Extra context menu item: Add to &Teleport - D:\TeleportUltra\teleport.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MsOffice\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://D:\OmniPage15\PDFConverter3\IEShellExt.dll /100
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MsOffice\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145986548799
O17 - HKLM\System\CCS\Services\Tcpip\..\{90F742E6-14BD-42BD-B353-7487933899E6}: NameServer = 66.254.6.2,66.254.1.2
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\XP\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\XP\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Backup Server Service (AcronisBackupServerService) - Acronis - C:\Program Files\Acronis\BackupServer\backupserver.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Arcana Notification Agent (adnotify) - Unknown owner - C:\Program Files\Arcana Development\Notification Agent\ADNotify.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Arcana Scheduler - Arcana Development - C:\Program Files\Arcana Development\Arcana Scheduler\adscheduler.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Acronis Group Server (GroupServer) - Acronis - C:\Program Files\Acronis\GroupServer\GroupServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\XP\system32\drivers\KodakCCS.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\XP\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\XP\system32\oodag.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Rogue Traffic
in Malware Removal
Posted
so I ran gmer... I have no idea what to do with this information:
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-20 17:02:03
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT 82F60CD8 ZwAllocateVirtualMemory
SSDT a347bus.sys ZwClose
SSDT 82FAE198 ZwCreateKey
SSDT a347bus.sys ZwCreatePagingFile
SSDT 82FE4880 ZwCreateProcess
SSDT 82F7AB70 ZwCreateProcessEx
SSDT 82F60FA8 ZwCreateThread
SSDT 82FAD338 ZwDeleteKey
SSDT 82FED248 ZwDeleteValueKey
SSDT a347bus.sys ZwEnumerateKey
SSDT a347bus.sys ZwEnumerateValueKey
SSDT a347bus.sys ZwOpenFile
SSDT a347bus.sys ZwOpenKey
SSDT a347bus.sys ZwQueryKey
SSDT a347bus.sys ZwQueryValueKey
SSDT 82F60D50 ZwQueueApcThread
SSDT 82F60BE8 ZwReadVirtualMemory
SSDT 82FCBB38 ZwRenameKey
SSDT 82F60E40 ZwSetContextThread
SSDT 82FE75C0 ZwSetInformationKey
SSDT 82F77210 ZwSetInformationProcess
SSDT 82F60EB8 ZwSetInformationThread
SSDT a347bus.sys ZwSetSystemPowerState
SSDT 82FAD680 ZwSetValueKey
SSDT 82F77198 ZwSuspendProcess
SSDT 82F60DC8 ZwSuspendThread
SSDT 82F77288 ZwTerminateProcess
SSDT 82F60F30 ZwTerminateThread
SSDT 82F60C60 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.12 ----
? C:\XP\System32\DRIVERS\update.sys
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1044] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ AB, FA, C3, 83 ]
---- Devices - GMER 1.0.12 ----
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 82F992B0
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 829A6550
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 829A33D8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE 829A5B88
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 829A5A60
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 829A5938
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 829A5810
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 829A56E8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 829A4C60
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 829A4B38
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 829A4A10
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 829A48E8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 829A3E58
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 82983D90
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 82983C68
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL 82983B40
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL 829D2DA0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 829D2C88
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 829D2B60
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP 829D2A38
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 829D2910
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 829D27E8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 829D26C0
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 829D2598
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 829D2470
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 829D2348
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 829D2220
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 829D1FA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 829D1E90
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 829A6550
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 829A33D8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE 829A5B88
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 829A5A60
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 829A5938
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 829A5810
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 829A56E8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 829A4C60
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 829A4B38
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 829A4A10
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 829A48E8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 829A3E58
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 82983D90
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 82983C68
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL 82983B40
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL 829D2DA0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 829D2C88
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 829D2B60
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP 829D2A38
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 829D2910
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 829D27E8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 829D26C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 829D2598
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 829D2470
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 829D2348
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 829D2220
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 829D1FA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 829D1E90
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 82DBD540
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 82DBD540
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 8245BFB0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 82DBD540
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 82DBD540
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_NAMED_PIPE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLOSE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_READ 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_WRITE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_EA 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_EA 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FLUSH_BUFFERS 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_VOLUME_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_VOLUME_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DIRECTORY_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FILE_SYSTEM_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SHUTDOWN 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_LOCK_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLEANUP 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_MAILSLOT 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_SECURITY 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_SECURITY 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_POWER 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SYSTEM_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CHANGE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_QUOTA 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_QUOTA 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 82DB42E0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE_NAMED_PIPE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLOSE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_READ 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_WRITE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_EA 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_EA 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FLUSH_BUFFERS 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_VOLUME_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_VOLUME_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DIRECTORY_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FILE_SYSTEM_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SHUTDOWN 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_LOCK_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLEANUP 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE_MAILSLOT 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_SECURITY 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_SECURITY 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_POWER 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SYSTEM_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CHANGE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_QUOTA 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_QUOTA 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_PNP 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CREATE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CREATE_NAMED_PIPE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CLOSE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_READ 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_WRITE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_EA 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_EA 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_FLUSH_BUFFERS 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_VOLUME_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_VOLUME_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_DIRECTORY_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_FILE_SYSTEM_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_DEVICE_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SHUTDOWN 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_LOCK_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CLEANUP 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CREATE_MAILSLOT 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_SECURITY 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_SECURITY 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_POWER 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SYSTEM_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_DEVICE_CHANGE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_QUOTA 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_QUOTA 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_PNP 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CREATE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CREATE_NAMED_PIPE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CLOSE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_READ 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_WRITE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_EA 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_EA 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_FLUSH_BUFFERS 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_VOLUME_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_VOLUME_INFORMATION 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_DIRECTORY_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_FILE_SYSTEM_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_DEVICE_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SHUTDOWN 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_LOCK_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CLEANUP 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CREATE_MAILSLOT 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_SECURITY 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_SECURITY 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_POWER 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SYSTEM_CONTROL 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_DEVICE_CHANGE 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_QUOTA 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_QUOTA 82DB42E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_PNP 82DB42E0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_NAMED_PIPE 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_INFORMATION 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_INFORMATION 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_EA 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_EA 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_VOLUME_INFORMATION 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_VOLUME_INFORMATION 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DIRECTORY_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FILE_SYSTEM_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_LOCK_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLEANUP 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_MAILSLOT 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_SECURITY 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_SECURITY 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CHANGE 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_QUOTA 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_QUOTA 82DBD540
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 82DBD540
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 82016E98
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 829A6550
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 829A33D8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE 829A5B88
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 829A5A60
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 829A5938
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 829A5810
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 829A56E8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 829A4C60
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 829A4B38
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 829A4A10
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 829A48E8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 829A3E58
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 82983D90
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 82983C68
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL 82983B40
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL 829D2DA0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 829D2C88
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 829D2B60
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP 829D2A38
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 829D2910
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 829D27E8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 829D26C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 829D2598
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 829D2470
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 829D2348
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 829D2220
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 829D1FA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 829D1E90
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 829A6550
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 829A33D8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE 829A5B88
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 829A5A60
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 829A5938
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 829A5810
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 829A56E8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 829A4C60
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 829A4B38
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 829A4A10
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 829A48E8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 829A3E58
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 82983D90
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 82983C68
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL 82983B40
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL 829D2DA0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 829D2C88
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 829D2B60
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP 829D2A38
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 829D2910
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 829D27E8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 829D26C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 829D2598
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 829D2470
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 829D2348
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 829D2220
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 829D1FA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 829D1E90
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 824B8708
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 829A6550
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 829A33D8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE 829A5B88
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 829A5A60
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 829A5938
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 829A5810
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 829A56E8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 829A4C60
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 829A4B38
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 829A4A10
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 829A48E8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 829A3E58
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 82983D90
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 82983C68
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL 82983B40
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL 829D2DA0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 829D2C88
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 829D2B60
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP 829D2A38
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 829D2910
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 829D27E8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 829D26C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 829D2598
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 829D2470
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 829D2348
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 829D2220
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 829D1FA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 829D1E90
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 824B8708
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 8294FE70
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 829DB400
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_NAMED_PIPE 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLOSE 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_READ 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_WRITE 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_INFORMATION 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_INFORMATION 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_EA 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_EA 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FLUSH_BUFFERS 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_VOLUME_INFORMATION 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_VOLUME_INFORMATION 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DIRECTORY_CONTROL 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FILE_SYSTEM_CONTROL 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CONTROL 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SHUTDOWN 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_LOCK_CONTROL 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLEANUP 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_MAILSLOT 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_SECURITY 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_SECURITY 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_POWER 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SYSTEM_CONTROL 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CHANGE 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_QUOTA 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_QUOTA 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_PNP 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_CREATE 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_CLOSE 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_READ 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_WRITE 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SET_INFORMATION 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_EA 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SET_EA 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SHUTDOWN 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_CLEANUP 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SET_SECURITY 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_POWER 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SET_QUOTA 82D47008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_PNP 82D47008
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 8294DFB0
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 8294DFB0
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 8294DFB0
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 8294DFB0
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 8294DFB0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 824A9458
---- Modules - GMER 1.0.12 ----
Module _________ F853D000-F8555000 (98304 bytes)
---- Registry - GMER 1.0.12 ----
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\XP\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\XP\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\XP\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\XP\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\XP\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\XP\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\XP\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\XP\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\XP\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\XP\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\XP\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\XP\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected] 277C3E89C499B260DD37410948245D4EF0F20E10950C565FF78C1B98AB8108FD49B9A5D4B4BC8A91
1C20E908F74267BDB63C6AB7C7F066FC361E452196606E00606F1C0E8C9AEFE583CB87EBB390683DE
869A138AE71EAD95A91193F0A4DC2FCB36A5A29117C23C3040D44D3BBEC60EE3F716FFEA3A443F604
22034E972F67716D4A1F0DAEC324C47089CED3F2CC122AD61F92ED23339508B961731AF4857F0F9A0
6AA94F1E139B5013BD974633704792F91CFD8CFDA49F1E4B0DFE57B6476B8AFE3440E0F5F6D99D06F
1DB038CA829B2DBA6F0AEB6C8953D1C9FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CF
EBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667C038D530D6EB3452C0
38D530D6EB3452A6171C11EC38DE3D8F36E2B830ED536A1FE23375D0DC89E38A98A9CE7ED5A4E9AA7
5EBD488D5586AA24CCE959D5C24FC6114136BD03AD5DF429EB19F3FBE9CB8A72832553B26ABB53937
96540ADF6D7028C3D90EB6A3442605B37308E8545D4327AC7684DC3695BBA32BBE875A726A2FD1F22
2A6C5ECF8E8E347C2A74066169E8B7C6AF4D4726F14334F6D59B3BC3BF8C216AC91089C7D2AF23B9C
325078D9343A86DE4FCBFCF32DBFBFEF84839EE5616218DFC1C8EF40C3CB651C6B62459D3F9D2F4B4
D32ABC149248D365AF629D1CB9B55443A18D392DF0A0F05AD0BB
Reg \Registry\USER\S-1-5-21-527237240-854245398-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0AF7744A-9721-FDD5-BA18-A9578358D751}@hadnkljcbmkdoggg 0x67 0x61 0x6B 0x6C ...
Reg \Registry\USER\S-1-5-21-527237240-854245398-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0AF7744A-9721-FDD5-BA18-A9578358D751}@iaponpeaajedpgikna 0x63 0x61 0x68 0x6B ...
Reg \Registry\USER\S-1-5-21-527237240-854245398-1343024091-1003\Software\Zepter Software\RegLib
Reg \Registry\USER\S-1-5-21-527237240-854245398-1343024091-1003\Software\Zepter Software\RegLib
---- EOF - GMER 1.0.12 ----